Client and User Access to protected API using Identity Server

Question

I am wondering about one aspect of Identity Server that I hope to use in my projects.

The scenario is relatively simple:

• I have an API and a couple of clients
• I want to protect that API using Identity Server and OIDC
• On one client, I was looking at the concept of having optional authentication.
  • Some features would require certain claims i.e Admin
  • The Rest should allow anonymous users access, but should only allow requests from the registered clients
  • This should also be reflected on the API

The caveat here is I would like still restrict the API to only be accessed by the registered clients in Identity Server only

Is this scenario possible in Identity Server?

I understand I would set up the Admin Policy on the API but do I also have to set up a CORS feature as well or does Identity Server do this out fo the box using the Allowed scopes and Resources Configuration?

Apologies if the explanation is poor I will try and add a diagram soon

Answer 1

Yes, if you wish to restrict API access to authenticated requests only, one way is via scope validation by setting up a global authorization policy (see https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation).

Your admin endpoints would check for an additional claim. There are several ways to do this, one way is policy based authorization (https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.2).

You will need to configure the CORS middleware for your API (see https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.2). If you need CORs access to the Identity Server endpoints, then you'll need to configure Identity Server (see http://docs.identityserver.io/en/latest/topics/cors.html).